Re: Accessing a process structure in the processes link list

[Jim Nelson <james4765@verizon.net>]

A M wrote:
> How would you know the offset (location of index 0 if
> it was an array or the head of link list) of that
> variable in memory, in this case it is the process
> table named task of type a pointer to task_struct? 
> 
> Any recommendation for references will be appreciated.
> 
> 
> Thanks, 
> 
> Ali 
> 

http://www.securityfocus.com/infocus/1811

is about identifying hooked syscalls, but the principles involved in locating the 
system call table could be applied to finding the process table.

P. S.  You can locate the process in memory with read access to /proc/kmem or 
/proc/mem (that's a lot tougher, though), but to modify it requires write access.


> --- Doug McNaught <doug@mcnaught.org> wrote:
> 
> 
>>A M <alim1993@yahoo.com> writes:
>>
>>
>>>Would it be possible for a program running as root
>>>that wasn't compiled with the kernel to access a
>>>process structure in the processes link list? 
>>
>>Yes, but see below.
>>
>>
>>>I've read an article about hiding processes and
>>
>>the
>>
>>>article made sound so easy to access the link list
>>
>>and
>>
>>>hide a process, how easy is it?
>>
>>You need read access to /dev/kmem and a fairly
>>intimate knowledge of
>>the kernel data structures in question.
>> 
>>
>>>Is it possible to a process to access its own
>>
>>entry in
>>
>>>the processes link list?
>>
>>Not without read access to the kmem device...
>>
>>-Doug
>>
> 
> 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> The all-new My Yahoo! - Get yours free! 
> http://my.yahoo.com 
>  
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>